Marc Bleicher is a hostage-taker – but he is not trying to save human hostages, he is trying to save data.
Bleicher, managing director of cybersecurity consulting firm Arete Advisors, is a specialist helping companies deal with ransomware – the type of cyberattack in which hackers lock up a company's computers and then demand payment to reverse the encryption.
He has given CNBC a rare and exclusive glimpse into a shady world where American companies are paying millions of dollars to known criminals.
It's a corner of the criminal underworld that has seen explosive growth. According to a report by Chainalysis, the total amount paid by ransomware victims increased 336% in 2020 on cryptocurrency valued at nearly $ 370 million.
And some big players are making huge profits: According to the report, the digital hostage takers are dominated by big players who bring in millions of dollars annually. Only 199 cryptocurrency deposit addresses will receive 80 percent of all funds sent from ransomware addresses in 2020, according to Chainalysis.
All of these payments have created an underground marketplace where criminals and their victims in American corporations must come together to achieve terms and exchange funds.
Ransomware has hit small and large businesses alike, causing increasingly costly shutdowns at county governments, schools, and even hospitals. For example, in June, Magellan Health announced it had been hit by an attack that ultimately affected more than 300,000 people. The Clark County, Nevada school district exposed an attack in August that may reveal student data. And in July, the city of Lafayette, Colorado paid a $ 45,000 ransom to regain control of its systems.
Let's call it the blackmail economy
Bleacher is a middleman in this economy and often finds himself using his fingers on a keyboard to negotiate directly with the bad guys. He's also the one who sends the payments when companies decide to pay the ransom.
"Some customers are extremely angry," he told CNBC. "Many of these victims are also in shock." But they all share one goal, he added: "To stop the bleeding and make it go as quickly as possible."
Bleicher said he has monitored the payment of hundreds of millions of corporate dollars to criminal hackers and sees ransom demands growing. A hacker recently demanded $ 70 million from one of his customers despite saying the customer found a way not to pay. But he explained that even ransom demands this high are almost always negotiable.
The ransom note, like everything else in this business, is digital. "Your network has been infected!" announces the warning from a recently released ransom note that Bleicher shared with CNBC. "Follow the directions below, but keep in mind that you don't have a lot of time."
The note included a countdown clock, set a price, and warned, "If you don't pay on time, the price will be doubled." In this case, the hackers demanded payments in Monero, a particularly difficult-to-track cryptocurrency preferred by the hackers.
In another real ransom note from Arete, the hackers said, "To unlock files, you need to pay 3.8 bitcoin" – that's more than $ 200,000. "To confirm our honest intentions, we will be unlocking two files for free."
It's alarming but compelling warnings like these that are forcing companies to make the agonizing decision of ignoring the FBI's warnings not to pay off the hackers. "Paying the ransom is always the last resort," said Bleicher.
For many companies, however, this is an existential threat. "I think at the end of the day that even the FBI would agree that some of these organizations really have no other options if they don't want to lose their business."
The haggling takes place in a chat room in the dark web. Belicher said he didn't know who was on the other side of his screen, but they already knew a lot about his customers. For listed companies, the hackers know the annual income and calculate a ransom note from there.
And the hackers have complete visibility into the organization: "They may have access to the company's financial data by being on their network," said Bleicher.
But it's not just size that sets the price – it's the sensitivity of the data: "This 10-person law firm may have politicians clients, so the ransom can be extremely high compared to a Fortune 50 company where the ransom is lower and because they only got a certain part of their data. "
Bleicher did not want to go into detail about how he is negotiating. However, an officer from another cybersecurity company, who spoke on condition of anonymity so as not to overly attract the hackers' attention, provided some insight. "We create fake profiles so that they don't know that they are professional negotiators," the official told CNBC. "The profiles are usually mid-level employees so we can delay approval and go back to a manager."
And even during the negotiations, the official said, the cybersecurity company's goal could be to delay long enough to conduct an investigation or extract information from the hackers about what they have and how much they know. "In some cases we were able to get full directory listings during the negotiations without paying for them," the official said. "This helps us to understand which systems the attacker has access to."
Jason Kotler, founder and CEO of a cyber negotiation firm called Cypfer, said the criminals knew what to expect. "They're expecting a hearing," he said. "For billion dollar companies, they expect billions of dollars in payments." There's even such a thing as an industry standard: "It's roughly a percentage of their published net earnings – half a percent for billion dollar companies."
"I wish I wasn't in the business I'm in," said Kotler. "It really is war. This is war."
The bad guys
D.O.J. Wanted poster for Maksim Viktorovitch Yakubets
Sometimes war isn't just a metaphor. Bleicher said companies could be comfortable paying off crooks – but they don't want to pay terrorists or violate US or Western sanctions. The most important thing his company does is check with the U.S. Treasury Department for Foreign Wealth Control to see if the companies they pay have any connection with any known sanctioned organizations.
The aim is to ensure that the victim companies do not inadvertently break US or European laws. The challenge is that on the dark internet you don't always know exactly who you are dealing with. The North Korean military, Iranian intelligence, and cyber criminals linked to the Russian oligarch are all heavily involved in ransomware attacks.
In February, for example, the Justice Department overturned the charges against three North Korean programmers who alleged they participated in a widespread criminal conspiracy to carry out a series of destructive cyberattacks and steal more than $ 1.3 billion in cash and cryptocurrency from funds and blackmail institutions and companies.
The US said three men, Jon Chang Hyok, 31, Kim Il, 27, and Park Jin Hyok, 36, were members of an elite hacking unit of the North Korean military intelligence organization known as the Reconnaissance General Bureau. The US accused the men of developing the destructive ransomware software WannaCry 2.0 in 2017 and "extorting and attempting to blackmail victim companies from 2017 to 2020 while stealing sensitive data".
In late 2019, the US government accused the Lamborghini-driving Russian leader of a hacking group called Evil Corp, and the FBI announced a reward of up to $ 5 million for information leading to the arrest or conviction of Maksim Yakubets  led. from Moscow. It was the largest such offer for a cybercriminal to date. The government said versions of the malware developed by Evil Corp had helped criminals install ransomware.
At the same time, the UK authorities released a plethora of videos and social media posts of yakubets and other suspected members of Evil Corp. making donuts in expensive sports cars on Moscow streets, posing for a lot of money and even cuddling with a baby lion.
It seems inevitable that at least some American corporate funds will be transferred directly into the cryptocurrency wallets of American enemies.
But here's the good news, at least for American business leaders: Bleicher said there is honor among thieves. When companies pay the ransom, the criminals almost always live up to their end of business. In fact, their business model depends on building a reputation for reliability.
If they don't share the data with one victim, the next target may choose not to pay at all. And as soon as they send the cryptocurrency to the bad guys, the hackers move quickly: "Nine out of ten cases, you can expect the decryption key to be delivered within 24 hours or less."
Bleicher's company Arete was able to develop striking details about the ransomware problem across America. For example, they found that the RYUK malware extracts the highest fees: an average payment of more than $ 1.2 million, while the MAZE malware extracts payments averaging over $ 923,000. Other variants of malware result in payments that are a fraction of the most damaging charges.
And they see that payment sizes vary dramatically between industries. Healthcare paid an average ransom of $ 140,000, while financial firms paid an average of $ 210,000. The biggest blow, however, has been the tech, engineering, and telecommunications sectors, where average payments are over $ 1 million.
With such payouts it is clear that the blackmail economy is unfortunately booming.